b"                                          Statement of\n                                        Lorraine Lewis\n                                       Inspector General\n                                 U.S. Department of Education\n\n                                        Before the\n                        Subcommittee on Oversight and Investigations\n                         Committee on Education and the Workforce\n                              U.S. House of Representatives\n\n                                       September 19, 2000\n\n\n\nMr. Chairman and Members of the Subcommittee:\n\n\n\n       I am here today at your invitation to discuss matters related to financial management and\n\ncomputer security at the Department of Education. Specifically, I will address: (1) the\n\nDepartment\xe2\x80\x99s progress on fiscal year (FY) 1999 financial statement audit recommendations; (2)\n\nthe status of the FY 2000 financial statement audit; (3) a summary of duplicate payments made\n\nin FY 2000; (4) recent OIG computer security reviews; and (5) recent investigations.\n\n\n\nProgress on FY 1999 Financial Statement Audit Recommendations\n\n       On March 1, 2000, we testified before the Subcommittee on Oversight and Investigations\n\nand reported that a total of 139 recommendations had been made for the FY 1995 through the FY\n\n1999 financial statement audits. At that time, 111 recommendations remained open, 28 were\n\nclosed, and 74 were non-repetitive. Since that hearing, the Department provided us with a\n\nresponse to the FY 1999 financial statement audit and corrective action plans for all of the\n\nfinancial statement audits.\n\x0c                                                                                                    2\n\n\n        Through the cooperative efforts of the Department and my office, 95 recommendations\n\nhave closed and 44 remain open. Thirty of the 44 recommendations open for corrective action\n\nare non-repetitive. Of the 24 recommendations contained in the FY 1999 financial statement\n\naudit, 18 are open and six are closed.\n\n        The Department provided my office with updated corrective action plans for the FY 1995\n\nthrough FY 1999 financial statement audits on September 15, 2000. Currently, we are assessing\n\nthese corrective action plans.\n\n\n\nFiscal Year 2000 Financial Statement Audits\n\n        As a result of meeting the March 1, 2000, deadline for the FY 1999 audit, we are much\n\nfurther along in the audit of FY 2000 than we were this time last year for FY 1999. Timely\n\nreporting for FY 1999 has allowed us to plan earlier for this year's audit, with the greatest strides\n\nmade in the coordination of our own systems audit efforts with those of Ernst & Young's\n\ninformation systems auditors. This coordination has helped increase the audit coverage in this\n\nimportant area of work.\n\n        The Department has focused earlier on the financial statement preparation process. For\n\nexample, the Department prepared two sets of interim statements, as of March 31 and June 30.\n\nThe final financial statements are due to us on December 1. As Ernst & Young will testify, we\n\nare unable to forecast or speculate as to the ultimate opinion which will be rendered in March\n\n2001.\n\x0c                                                                                                   3\n\n\nDuplicate Payments\n\n          At your request, I am providing this summary of duplicate payments issued by the\n\nDepartment in FY 2000. Four instances of duplicate payments occurred in FY 2000 and\n\ninvolved either grants or student financial assistance. Three of these instances were discovered\n\nsoon after they occurred by the grantees or schools and the Department was subsequently\n\ninformed. The other instance was identified by system controls in the electronic payment\n\nsystem.\n\n          Two of the instances occurred in October 1999 and two occurred in December 1999. In\n\nOctober, a payment for $19 million was transmitted twice, then subsequently recovered by an\n\nelectronic reversal. A second instance resulted in $125 million in duplicate payments being\n\nissued to approximately 48 grantees. In December 1999, duplicate payments totaling $663,472\n\nwere issued to 51 schools, and $6 million was issued to one school. All of these duplicate\n\npayments have been recovered.\n\n\n\nComputer Security\n\n          Several recent OIG reports indicate that the Department needs to improve its computer\n\nsecurity controls.\n\n\n\nReport on Security Posture, Policies, and Plans\n\n          In February 2000, we issued an audit that reviewed the security posture, policies and\n\nplans for the Department\xe2\x80\x99s 14 mission-critical information technology systems. Our objective\n\nwas to determine the existence of required security documentation and its compliance with\n\napplicable requirements of the Computer Security Act [40 U.S.C. 1441 note], Paperwork\n\x0c                                                                                                   4\n\n\nReduction Act [44 U.S.C. 3506(g)(1)], and Appendix III of the Office of Management and\n\nBudget\xe2\x80\x99s (OMB) Circular A-130. Specifically, we determined whether these systems had\n\nsecurity plans in place, met requirements for a current security review, and had corrective action\n\nplans in place to correct identified deficiencies. We also determined whether the Department\n\ntook steps to screen appropriate personnel and whether system security officers received security\n\ntraining. Our scope did not include a security review of the remaining 161 systems that the\n\nDepartment identifies as non-critical.\n\n       During this review, we found the following weaknesses: (1) the Department has not\n\ncompleted revisions of its security policies; (2) systems security officers of student financial\n\nassistance systems do not report to managers that have functional authority over the process\n\nbeing automated; (3) security plans are not in place for six mission-critical systems; (4) the\n\nDepartment did not complete required security reviews for six mission-critical systems; (5) there\n\nis no process to ensure resolution of identified security deficiencies; (6) many employees\n\nresponsible for overseeing computer security lack required technical security training; (7) the\n\nDepartment has not taken steps to ensure that appropriate personnel are screened. Two of these\n\nfindings -- the lack of security plans and the lack of technical security training -- represent\n\nnoncompliance with the Computer Security Act. All seven findings represent noncompliance\n\nwith the OMB Circular A-130. Because the Department is not adhering to requirements in\n\nCircular A-130, it may not be in compliance with the Paperwork Reduction Act.\n\n       The Department agreed with the overall content of our report and concurred with the\n\nseven findings. The Chief Information Officer (CIO) recently informed us that the security\n\nreviews have now been completed for the remaining six systems and that security plans should\n\nbe in place for all critical systems by October 2000. The CIO has also updated its IT security\n\x0c                                                                                                   5\n\n\npolicy and submitted it for clearance as a Department directive. In July, the Deputy Secretary\n\nissued a memorandum requiring all Department staff to complete computer security awareness\n\ntraining. According to the Department, as of September 13, 2000, 85 percent of Department\n\nstaff have completed this training. The CIO is also working to identify individuals who need\n\nmore specialized training and to acquire the appropriate courses for these staff. As we\n\nrecommended, the Department also reported security management as a material weakness in its\n\n1999 Federal Managers\xe2\x80\x99 Financial Integrity Act report. We will continue to monitor the\n\nDepartment\xe2\x80\x99s corrective actions to address our findings and recommendations, as well as\n\nconduct an annual review of the Department\xe2\x80\x99s security program.\n\n\n\nReviews of GAPS and EDNet\n\n       We have also performed detailed security audits of two critical systems in the\n\nDepartment -- the Grant Administration and Payment System (GAPS) and the Department-wide\n\nnetwork (EDNet). The review of GAPS security was completed in September 1998. The report\n\nReview of EDNet Security was completed in July 2000 and evaluated the security posture of the\n\nDepartment\xe2\x80\x99s information technology infrastructure. The EDNet is the Department\xe2\x80\x99s primary\n\nnetwork facility and is comprised of a telecommunications system and many connected\n\nresources, including large computers, printers, and local area networks (servers). Use of EDNet\n\nallows connectivity among all Departmental information technology resources.\n\n       We identified several areas in these audits where the Department can strengthen controls\n\nto enhance overall accountability and control of these systems. We cannot disclose the specific\n\nfindings and recommendations to the public since these audits contain sensitive security-related\n\x0c                                                                                                   6\n\n\ninformation. The Department concurred with our findings and recommendations and we will\n\ncontinue to monitor the progress of their corrective actions.\n\n\n\nReview of PDD 63\n\n       Our office also recently completed work on an audit entitled Review of Planning and\n\nAssessment Activities for Presidential Decision Directive 63 \xe2\x80\x93 Critical Infrastructure Protection.\n\nPresidential Decision Directive 63 (PDD 63) is a national effort to assure the security of the\n\nnation\xe2\x80\x99s critical infrastructures. We are participating in a government-wide review by the\n\nPresident\xe2\x80\x99s Council on Integrity and Efficiency on implementation of PDD 63. Our current audit\n\nrepresents the first phase of this project. The objective for the first phase was to assess the\n\nadequacy of agency planning and assessment activities for protecting their critical, cyber-based\n\ninfrastructures. We reviewed: (1) the adequacy of the Department\xe2\x80\x99s plans; (2) its asset\n\nidentification efforts; and (3) initial vulnerability assessments. We found that the Department\n\nneeds to revise and implement its critical infrastructure protection plan, identify its critical\n\ninfrastructure assets, and conduct vulnerability assessments of those assets. Overall, we made\n\nten recommendations to the Department that address our findings. The Department has\n\nconcurred with our findings and recommendations and we will monitor the progress of their\n\ncorrective actions.\n\n\n\nRecent Actions\n\n       Among those actions already implemented, the Department\xe2\x80\x99s CIO designated a Deputy\n\nCIO for Information Assurance and assigned three additional staff members to the IT security\n\narea. The Department has also established the Information and Critical Infrastructure Assurance\n\x0c                                                                                                  7\n\n\nSteering Committee (Steering Committee). Its mission is to advise the Deputy Secretary, CIO,\n\nand Chief Infrastructure Assurance Officer on Department-wide IT security and critical asset\n\nassurance policies and to coordinate and help implement the Department\xe2\x80\x99s information security\n\nand critical information structure assurance program. The Committee is co-chaired by Deputy\n\nSecretary Frank Holleman and CIO Craig Luigart. Senior officers have designated principal\n\noffice representatives.\n\n       The Steering Committee has established several work groups to assist with: (1) security\n\nawareness and training, (2) incident handling, (3) background investigations, (4) continuity of\n\noperations in case of disaster, (5) authentication and public key infrastructure, (6) privacy\n\nprotection, and (7) development and implementation of a Department-wide Critical\n\nInfrastructure Protection Plan. The CIO has informed us that the Department has established an\n\ninteragency agreement to use the General Services Administration\xe2\x80\x99s Safeguard Program to seek\n\ncontractual support for identifying critical infrastructure assets by December 2000 and perform\n\nvulnerability assessments by April 2001. The CIO has informed us that he expects to submit a\n\nrevised critical infrastructure protection plan to the Steering Committee in October 2000.\n\n       These audits reflect the need for improved computer security at the Department. We\n\nhave identified improvement of computer security posture, policies, and plans as a top\n\nmanagement challenge and we will continue to closely monitor the Department\xe2\x80\x99s corrective\n\nactions on our existing audits. Additionally, we plan to conduct an annual review of the\n\nDepartment\xe2\x80\x99s computer security program.\n\x0c                                                                                                  8\n\n\nInvestigations\n\n       As your staff requested verbally, I am providing information on pending investigations.\n\nSince the investigations are ongoing, I am providing only the information that is publicly\n\navailable through court filings or other public disclosures.\n\n\n\nInvestigation 1\n\n       We are conducting a vigorous investigation of individuals who, between 1997 and 1999,\n\npurchased equipment with federal funds for non-business related purposes, billed the Department\n\nfor hours not worked, and received goods purchased with federal funds for personal use. These\n\nitems include computers, printers, computer software, scanners, cordless telephones, a 61-inch\n\ntelevision, walkie-talkies, compact disc players, and other equipment. The total cost of these\n\nitems to the Department was over $300,000. In addition, it is estimated that between January 1,\n\n1997, and November 30, 1999, approximately $634,000 in unworked hours were fraudulently\n\ncharged to the Department by individuals involved in the case. Thus far, three individuals,\n\nRobert J. Sweeney, Joseph Dennis Morgan, and Raymond L. Morgan, Jr. have pled guilty based\n\non their involvement in the case.\n\n       Additionally, the U.S. Attorney\xe2\x80\x99s Office for the District of Columbia has filed criminal\n\ncharges against three other individuals associated with this criminal activity. These three\n\nindividuals are current employees of the Department who have been placed on indefinite\n\nsuspension without pay.\n\x0c                                                                                                     9\n\n\nInvestigation 2\n\n       On this matter, I can discuss only what has been made a matter of public record by the\n\nfiling of a civil complaint to recover fraudulently misdirected Impact Aid funds. My office and\n\nthe FBI are conducting a vigorous investigation, in conjunction with the U.S. Attorney\xe2\x80\x99s Office\n\nfor the District of Columbia.\n\n       On July 13, 2000, the Department of Justice filed a verified civil complaint for forfeiture\n\nin rem to recover $1,657,980 from several bank accounts, two vehicles, and a building in\n\nRiverdale, Maryland. After serving the appropriate interested parties, publishing required\n\nnotices and waiting the required periods during which time no answers or claims were filed, the\n\nDepartment of Justice filed a motion for default judgment of forfeiture, which is pending before\n\nthe U.S. District Court for the District of Columbia.\n\n       Background information set forth in the complaint states that $1.9 million in Impact Aid\n\ngrant funds were fraudulently wired into two bank accounts. These Impact Aid funds should\n\nhave been disbursed to two school districts in South Dakota. Nearly all the funds and property\n\npurchased with these funds have been seized by the United States. A lis pendens has been placed\n\nagainst the real property. The cars were located and seized in April and May 2000 by OIG, FBI,\n\nand local police in Maryland.\n\n\n\nConclusion\n\n       Our support for strong financial management and computer security is evidenced by the\n\naudits and investigations discussed above. In addition, we will continue to identify areas for\n\nimprovement at the Department of Education.\n\x0c                                                                                               10\n\n\n       Ultimately, the design and implementation of any internal control must be based on an\n\nanalysis of costs and benefits. Even well designed and implemented internal controls cannot\n\nprovide absolute assurance against fraud, waste, and abuse. There will always be factors such as\n\nhuman mistakes and acts of collusion that will be outside the control or influence of\n\nmanagement. That is why we need to remain vigilant and maintain a credible deterrence\n\nthrough, among other things, a regular program of management reviews, an active hotline\n\nfunction, and vigorous audit, investigative, and inspection operations.\n\n        Mr. Chairman, that concludes my prepared testimony. I am happy to answer any\n\nquestions you or other members of the Subcommittee may have on these issues.\n\x0c"